WO2024041436A1

WO2024041436A1 - Service request processing method and apparatus, and electronic device and storage medium

Info

Publication number: WO2024041436A1
Application number: PCT/CN2023/113405
Authority: WO
Inventors: 唐鑫琦; 郭嘉; 李圆; 张备; 王博仑; 徐行; 穆琳; 林元
Original assignee: 抖音视界有限公司; 脸萌有限公司
Priority date: 2022-08-26
Filing date: 2023-08-16
Publication date: 2024-02-29
Also published as: CN117675242A

Abstract

Provided in the embodiments of the present disclosure are a service request processing method and apparatus, and an electronic device and a storage medium. The method comprises: acquiring a target account, wherein the target account is an account which has a risk of initiating an illegitimate request to a target service, and the target service has at least two service nodes; determining a corresponding key service node according to the target account, wherein the key service node is a service node which has the best interception effect for performing access interception on the illegitimate request that is initiated by the target account; and on the basis of the key service node, performing access interception on a service request, which is sent by the target account. A key service node having a better interception effect in a target service is evaluated, and then on the key service node, access interception is performed on an illegitimate request, which is initiated by a target account.

Description

Business request processing method, device, electronic equipment and storage medium

Related application cross-references

This application claims priority to the Chinese patent application submitted to the China Patent Office on August 26, 2022, with application number 202211037837.4 and the invention name "Business Request Processing Method, Device, Electronic Equipment and Storage Medium", the entire content of which is incorporated by reference. Incorporated herein.

Technical field

The embodiments of the present disclosure relate to the field of Internet technology, and in particular, to a service request processing method, device, electronic device, and storage medium.

Background technique

Currently, with the rapid development of the Internet industry, illegal behaviors such as cyber attacks, information theft, extortion and fraud using Internet technology are also increasing. Various Internet platforms usually set up risk control mechanisms to intercept such illegal business requests. , to ensure the security of content and information on the platform.

In the existing technology, for illegal requests used to achieve illegal business purposes, the platform usually identifies illegal requests based on manual or fixed rule review, and then intercepts illegal accounts that send illegal requests to prevent such illegal accounts from continuing to send illegal requests. .

Contents of the invention

Embodiments of the present disclosure provide a service request processing method, device, electronic device, and storage medium.

In a first aspect, embodiments of the present disclosure provide a service request processing method, including:

Obtain a target account, which is an account with the risk of initiating illegal requests to the target business, and the target business has at least two business nodes; determine the corresponding key business node according to the target account, and the key business node is When performing access interception on illegal requests initiated by the target account, the service node with the best interception effect among the at least two service nodes shall perform access interception on the service request sent by the target account based on the key business node.

In a second aspect, an embodiment of the present disclosure provides a service request processing device, including:

An acquisition module, configured to acquire a target account, which is an account with the risk of initiating illegal requests to the target business, and the target business has at least two business nodes;

Determination module, configured to determine the corresponding key business node according to the target account. When the key business node performs access interception for illegal requests initiated by the target account, the interception effect is the best among the at least two business nodes. business nodes;

The interception module is used to access and intercept business requests sent by the target account based on the key business nodes.

In a third aspect, an embodiment of the present disclosure provides an electronic device, including:

A processor, and a memory communicatively connected to the processor;

The memory stores computer execution instructions;

The processor executes computer execution instructions stored in the memory to implement the service request processing method described in the first aspect and various possible designs of the first aspect.

In a fourth aspect, embodiments of the present disclosure provide a computer-readable storage medium. Computer-executable instructions are stored in the computer-readable storage medium. When the processor executes the computer-executable instructions, the above first aspect and the first aspect are implemented. Various possible designs for the described business request processing methods.

In a fifth aspect, embodiments of the present disclosure provide a computer program product, including a computer program that, when executed by a processor, implements the service request processing method described in the first aspect and various possible designs of the first aspect.

In a sixth aspect, embodiments of the present disclosure provide a computer program that, when executed by a processor, implements the service request processing method described in the first aspect and various possible designs of the first aspect.

The business request processing method, device, electronic device and storage medium provided by the embodiments of the present disclosure obtain the target account, which is an account with the risk of initiating illegal requests to the target business, and the target business has at least two business nodes. ; According to the target account, determine the corresponding key business node. The key business node is the business node with the best interception effect among the at least two business nodes when access interception is performed for illegal requests initiated by the target account; Based on the key business node, access interception is performed on the business request sent by the target account. Because before intercepting illegal requests initiated by the target account, the key business nodes in the target business with better interception effects are first evaluated, and then access interception of illegal requests initiated by the target account is performed on the key business nodes.

Description of drawings

In order to more clearly illustrate the embodiments of the present disclosure or the technical solutions in the prior art, a brief introduction will be made below to the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the drawings in the following description These are some embodiments of the present disclosure. For those of ordinary skill in the art, other drawings can be obtained based on these drawings without exerting any creative effort.

Figure 1 is an application scenario diagram of the business request processing method provided by an embodiment of the present disclosure;

Figure 2 is a schematic flowchart 1 of a service request processing method provided by an embodiment of the present disclosure;

Figure 3 is a flow chart of specific implementation steps of step S102 in the embodiment shown in Figure 2;

Figure 4 is a schematic diagram of access interception for business nodes provided by an embodiment of the present disclosure;

Figure 5 is a flow chart of specific implementation steps of step S1022 in the embodiment shown in Figure 3;

Figure 6 is a flow chart of specific implementation steps of step S103 in the embodiment shown in Figure 2;

Figure 7 is a schematic flowchart 2 of a service request processing method provided by an embodiment of the present disclosure;

Figure 8 is a schematic diagram of a behavioral feature provided by an embodiment of the present disclosure;

Figure 9 is a flow chart of specific implementation steps of step S207 in the embodiment shown in Figure 7;

Figure 10 is a structural block diagram of a service request processing device provided by an embodiment of the present disclosure;

Figure 11 is a schematic structural diagram of an electronic device provided by an embodiment of the present disclosure;

FIG. 12 is a schematic diagram of the hardware structure of an electronic device provided by an embodiment of the present disclosure.

Detailed ways

In order to make the purpose, technical solutions and advantages of the embodiments of the present disclosure more clear, the following will be combined with the appended information in the embodiments of the present disclosure. The figures clearly and completely describe the technical solutions in the embodiments of the present disclosure. Obviously, the described embodiments are part of the embodiments of the present disclosure, rather than all of the embodiments. Based on the embodiments in this disclosure, all other embodiments obtained by those of ordinary skill in the art without making creative efforts fall within the scope of protection of this disclosure.

The application scenarios of the embodiments of the present disclosure are explained below:

Figure 1 is an application scenario diagram of the business request processing method provided by the embodiment of the present disclosure. The business request processing method provided by the embodiment of the present disclosure can be applied to the application scenarios of security protection and risk control management of the Internet platform. More specifically, places, such as application scenarios for security protection on social platforms. Illustratively, the method provided by the embodiment of the present disclosure can be applied to the risk control server. In one possible implementation, as shown in Figure 1, the risk control server is connected to the platform server, and the external request sent by the terminal device First, enter the risk control server, and the risk control server will process it, identify and intercept illegal requests, and then send normal legal requests to the platform server, and the platform server will respond to them and generate user messages, release information, etc. Platform content.

At present, with the rapid development of the Internet industry, illegal behaviors such as cyber attacks, information theft, extortion and fraud using Internet technology are also increasing. For example, including promoting illegal websites on Internet social platforms, publishing fraudulent information, etc., thereby obtaining illegal income. Among them, the above-mentioned illegal behaviors are usually achieved by using Internet technology to automatically send business requests to the platform server, thereby registering accounts on Internet social platforms in batches, and disguising themselves as real users to publish illegal content. In the existing technology, social platforms usually identify business requests for illegal business purposes based on rules, and then intercept illegal accounts that send illegal requests at fixed business nodes to prevent such illegal accounts from continuing to send illegal requests. For example, after detecting a request to publish a fraudulent website, mark the account that sent the illegal request, intercept it at the login business node of the account, and prevent it from logging into the platform. However, the interception method based on fixed nodes can be easily identified by attackers who send illegal requests and bypass the interception by modifying the sending parameters, resulting in poor interception effects and low interception accuracy.

Embodiments of the present disclosure provide a service request processing method to solve the above problems. Referring to Figure 2, Figure 2 is a schematic flowchart 1 of a service request processing method provided by an embodiment of the present disclosure. The method in this embodiment can be applied in the server. The service request processing method includes:

Step S101: Obtain a target account. The target account is an account with the risk of initiating illegal requests to the target business. The target business has at least two business nodes.

Illustratively, the target account is a subset of all accounts registered on the server, more specifically, the illegal account in the above application scenario introduction. The target account in this embodiment is a batch of accounts registered by an attacker (illegal gang). Registered, aggregated accounts with similar characteristics in one or more dimensions.

Further, the target account may refer to an account that has a record of sending illegal requests, or has the possibility of sending illegal requests based on assessment, where an illegal request is a business request containing illegal content sent to the server, and the illegal content is, for example, fraud information. , illegal website information, etc. After the illegal request is responded to by the server, the illegal information will be displayed on the corresponding network platform. Among them, the target account can be obtained through account data preset in the server, or can be determined by detecting business requests sent by different accounts in real time and evaluating them. There is no specific limitation here.

Further, the illegal request initiated by the target account corresponds to the target business. The target business is, for example, publishing status on social platforms, publishing comments, and other services. Among them, the target business has at least two business nodes. For example, the target business is publishing status on a social platform. The business nodes corresponding to the target business include: "Register Account", "Login Account", "Follow Friends", and "Publishing Status". Among them, for example, in order to achieve the target business (social platform publishing status), the target account needs to report to various industries respectively. The service node sends a service request, thereby ultimately achieving the purpose of sending an illegal request to the target business (posting a status containing illegal content on the social platform).

Step S102: Determine the corresponding key business node according to the target account. The key business node is the business node with the best interception effect among at least two business nodes when access interception is performed on illegal requests initiated by the target account.

By way of example. After obtaining the target account, based on the characteristics of the target account, the corresponding key business node is determined, that is, the business node with the best interception effect when intercepting illegal requests initiated by the target account. Among them, there are many specific implementations of "the business node with the best interception effect" in this embodiment, for example, the business node with the highest interception rate for illegal requests; for example, the business node with the least consumption of computing resources during the interception process; and then For example, the business node with the longest effective interception time for intercepting illegal requests.

For example, there are many ways to determine the number of corresponding key business nodes based on the characteristics of the target account. For example, the characteristics of the target account are the number of target accounts, and the corresponding key business nodes are determined based on the number of target accounts; for another example, the target The characteristics of the account are the historical interception records corresponding to the target account; by obtaining the historical interception records of the target account, the effect of interception on each business node for the target account is judged, thereby determining the key business nodes.

For example, as shown in Figure 3, the specific implementation steps of step S102 include:

Step S1021: Obtain the first service request sent by the target account.

Step S1022: According to the first service request, determine the interception revenue corresponding to each business node. The interception revenue represents the effective interception time of intercepting the attacker belonging to the target account at the corresponding business node based on the unit's computing resources.

For example, after the target account is determined, the service request sent by the target account is detected. When the first service request sent by the target account is detected, the first service request is intercepted at different service nodes, and the interception effect is evaluated, that is, Interception earnings. For example, based on the same computing resources, after interception at business node A, 2 hours later, the attacker who sent the illegal request bypassed the access interception at business node A by changing parameters; after interception at business node B, After 8 hours, the attacker who sent the illegal request bypassed the access interception at the B business node by changing the parameters. That is, the effective interception time at the B business node is longer and the interception income is higher.

Figure 4 is a schematic diagram of access interception for business nodes provided by an embodiment of the present disclosure. The process of determining the interception revenue corresponding to each business node is introduced below in conjunction with Figure 4. As shown in Figure 4, the target business is in the "social network""Platform Release Status" business. The target business includes "Login Node", "Status Editing Node", and "Status Display Node". In order to achieve the purpose of publishing status on the social platform, each business node ("Login Node", "Status Display Node") needs to be sent to each business node ("Login Node", "Status Display Node"). "Status Editing Node", "Status Display Node") sends the first service request, where the first service request includes three sub-requests, namely the first sub-request for the "Login Node"; the second sub-request for the "Status Editing Node"Request; third subrequest for "status display node". For example, the target account includes N accounts, where N is an integer greater than 2, where the target account is divided into three account sets, namely account set A, account set B, and account set C. When it is detected that the target account sends a business request, for each account in account set A, the first business request sent to the "login node" is intercepted (that is, the first sub-request is intercepted), so that the accounts in account set A, It is intercepted at the "login node" and account login cannot be performed; for each account in account set B, access interception is not performed at the "login node", but the first business request sent to the "status editing node" is intercepted (that is, the first business request sent to the "status editing node" is intercepted) Two sub-requests), so that the accounts in account set B are intercepted at the "status editing node", that is, the account can be logged in, but the status content cannot be edited; for each account in account set C, the account is not in the "login node" and The "status editing node" performs access interception and intercepts the first business request sent to the "status display node" (that is, intercepts the third sub-request), so that the accounts in account set C are intercepted at the "status display node" , that is, the account set C Accounts in can log in and edit status content, but cannot display status content on social platforms.

Further, after the above process is implemented, the target account is intercepted at different business nodes, so that the target account cannot plan the target business. However, in practice, in response to the above interception behavior, the attacker who uses the target account to send illegal requests will change the parameters in the business request sent by adjusting and modifying the program script, such as changing the content keywords in the business request, Login information, etc., to avoid interception and achieve the purpose of triggering the target business normally (such as posting a status containing illegal information on a social platform). However, for access interception on different business nodes, the time cost and computing resource cost of the attacker who sends the illegal request to identify the interception rules and avoid the interception are different. For example, after the "login node" performs access interception, The attacker can directly re-register a new account through the program script to launch the attack. Therefore, the time cost and computing resource cost spent by the attacker to avoid interception are relatively low, that is, the effective interception time is short; while accessing at the "status display node" After interception, the attacker needs to send requests to multiple nodes such as "login node" and "status editing node" through the target account. At the same time, he needs to analyze the reasons and rules why illegal content cannot be displayed on social platforms in order to avoid interception. Therefore, it is necessary to It costs more computing resources and time, that is, the effective interception time is longer. The above introduction is only exemplary. In the actual application process, the effective interception time of intercepting the attacker belonging to the target account at different business nodes is affected by many factors. Therefore, the actual effective interception time of each business node can be detected. The interception duration is used to determine the interception revenue corresponding to each business node.

In a possible implementation, as shown in Figure 5, the implementation of step S1022 includes:

Step S1022A: Based on the preset unit computing resources, perform access interception at different business nodes for the first service request sent by the target account, and record the first time corresponding to each business node. The first time is the start time of access interception. .

Step S1022B: Detect the second service request for different service nodes sent by the target account, and record the second time corresponding to the second service request, where the second service request is a service request that bypasses access interception, and the second time is when the second service request is received The time of the second service request.

Step S1022C: Determine the interception revenue corresponding to each service node based on the first time and the second time.

Step S1023: Determine key business nodes based on interception revenue.

Illustratively, computing resources include, for example, thread resources, memory resources, network resources, etc. The computing resources are calculated in units, that is, computing resources of a preset size. The specifics are not limited. According to the unit computing resources, some accounts in the target account are used in different businesses. After the node intercepts, it records the corresponding time node, that is, the first moment; then, detects the second service request sent by the target account for each service node, and obtains the moment when the second service request is received, that is, the second moment, where, The second service request is a service request that bypasses access interception. For example, the illegal information contained in the first service request is "www.xxx.cn" (for example, a fraudulent website); the server intercepts the first service request at the "status display node" and displays the illegal information "www. xxx.cn" is replaced with the string "######"; then the attacker modifies the request parameters and changes the illegal information "www.xxx.cn" to "www(/).xxx(/).cn(/ )", and generate a second service request based on the modified illegal information to avoid the server's identification of the illegal information "www.xxx.cn" in the first service request, thereby achieving the purpose of bypassing access interception. Therefore, when the server detects that a business request contains content such as "www(/).xxx(/).cn(/)" based on a manual or pre-trained recognition model, it is deemed to be a second business request. . The specific identification methods will not be described again here.

Afterwards, based on the difference between the first moment and the second moment, the effective interception duration of access interception at the corresponding business node can be determined, thereby obtaining interception benefits. Furthermore, the business node with the greatest interception revenue is determined as the key business node.

In the steps of this embodiment, during the actual risk control detection process, in order to solve the problem of the attacker constantly changing attack methods and modifying parameters to bypass interception, the interception revenue of each business node is continuously detected, and the business node with the largest interception revenue is selected as Key business nodes, and in subsequent steps, based on the key business nodes, illegal requests initiated by the attacker are accessed and intercepted, thereby increasing the attacker's network attack cost, thereby improving the interception efficiency of illegal requests and improving computing resource utilization.

Step S103: Based on the key business nodes, perform access interception on the service requests sent by the target account.

For example, after the key business nodes are determined, access interception is performed on the business requests sent by the target account based on the key business nodes, so as to dynamically maximize the interception efficiency. For example, when the key business node is the "Add Friend" business node in a social platform, the attacker can register "target accounts" in batches through program scripts, and send business requests to perform operations such as user login and likes. However, "Add friends" cannot be performed; and when the attacker modifies the parameters and sends illegal requests again, the interception revenue of the key business nodes based on the corresponding business nodes may change accordingly, for example, it becomes the "post information" in the social platform. The business node, that is, the attacker can perform operations such as user login and adding friends by sending business requests, but cannot publish information. Thus, dynamic access interception to the target account is achieved.

In a possible implementation, as shown in Figure 6, the specific implementation steps of step S103 include:

Step S1031: Determine an interception strategy based on key business nodes. The interception strategy represents the preset allocation of computing resources to each business node.

Step S1032: According to the interception policy, intercept the service request sent by the target account at the key service node and at least one other service node.

For example, in application scenarios for security protection and risk control management of Internet platforms, the risk control server needs to process a large amount of request data in real time. There are multiple attackers sending illegal requests to the platform at the same time. Therefore, illegal The request interception strategy needs to consider the overall computing resource allocation of the risk control server to ensure the real-time processing of business requests. Specifically, after determining the key business nodes, more computing resources can be allocated to the key business nodes. For example, access interception is only performed on all target accounts at the key business nodes; at the same time, in the target business except the key business nodes, Other business nodes allocate a small amount of computing resources to intercept some of the target accounts in other business nodes, thereby forming a more complex interception strategy. On the basis of ensuring the reliability of interception, the attacker can crack and parse the interception rules. It is more time-consuming and costly, thereby further improving the interception effect of illegal requests and solving the problem of attackers constantly changing attack methods and modifying parameters to bypass interception. Among them, the interception strategy can be provided through a pre-trained processing model, that is, the target business and key business nodes are used as input, and the corresponding interception strategy is output through the pre-trained processing model.

In this embodiment, by obtaining the target account, the target account is an account with the risk of initiating illegal requests to the target business, and the target business has at least two business nodes; according to the target account, the corresponding key business node is determined, and the key business node is for When intercepting illegal requests initiated by the target account, the business node with the best interception effect is used; based on key business nodes, access interception is performed on the business requests sent by the target account. Because before intercepting illegal requests initiated by the target account, we first evaluate the key business nodes with better interception effects in the target business, and then intercept illegal requests initiated by the target account on the key business nodes, thereby improving the effectiveness of illegal requests. Interception accuracy, while forming a dynamic interception of the target account, making it more difficult for the target account to bypass interception by changing access parameters, and improving the efficiency of computing resources.

Referring to Figure 7, Figure 7 is a schematic flow chart 2 of a service request processing method provided by an embodiment of the present disclosure. Based on the embodiment shown in Figure 2, this embodiment adds the steps of determining the target account and updating the interception policy based on the complaint data. Business request processing methods, including:

Step S201: Detect daily business requests.

Step S202: Obtain multi-dimensional characteristics of daily business requests.

For example, in the application scenario of security protection and risk control management for the Internet platform, the risk control server, that is, the execution subject of this embodiment, will perform indiscriminate processing on the business requests sent by the user to the risk control server through the terminal device. Or perform random detection to obtain business requests sent by different accounts, that is, daily business requests. Afterwards, multi-dimensional features corresponding to daily business requests are obtained. For example, multi-dimensional features include at least two of the following categories: account features, device features, behavioral features, and content features. Each feature is introduced in detail below:

Account characteristics, that is, the characteristics of the account that sends the daily business request, such as account identification (such as account name, account avatar), account creation time, account registration information (such as age, gender, residence and other information set in the account), etc. In a possible implementation, the daily business request may include the identification information of the account that sends the request, and the account characteristics can be further determined through the identification information.

Device characteristics, that is, characteristics of the device logged in by the account that sent the daily business request, such as device identification, device model, device login time, device network address, etc. In one possible implementation, the daily service request may include the identification information of the device sending the request, and the device characteristics may be further determined through the identification information.

Behavioral characteristics characterize the order of daily business requests sent by the same account for different business nodes, that is, the order in which business requests are sent to each business node of the target business, that is, the timing of triggering each business node. Behavioral characteristics can be jointly determined through the specific content information of multiple daily business requests. Figure 8 is a schematic diagram of a behavioral feature provided by an embodiment of the present disclosure. As shown in Figure 8, for example, for a specific account Acc_1, if it sends (multiple) daily business requests A (multiple business requests Set), triggering the business nodes of "User Login", "Add Friend", and "Leave a Message in Friend Comment Area" in sequence, then the behavioral feature corresponding to daily business request A is behavioral feature a; if it sends (multiple) daily business requests B (a collection of multiple business requests) triggers the business nodes of "user login", "entering hot list topics", and "leaving a message in the topic area" in sequence, then the behavioral characteristics corresponding to daily business request B are behavioral characteristics b.

Content characteristics, that is, characteristics of the content in the daily business requests sent, such as specific keywords and statements containing specific keywords, and/or behavioral content for behavioral characteristics, such as daily business requests used to trigger "add friends" Business node, the corresponding content feature is the account ID of the friend to be added. Content characteristics can be determined through specific content information in daily business requests.

Further, multi-dimensional features refer to the combination of at least two of the above four features. More specifically, multi-dimensional features can include multiple features of each type (account features, device features, behavioral features, content features). Subcategory, thereby obtaining more dimensional combinations. For example, multi-dimensional features can include 500-dimensional features, thereby achieving a more accurate description of business requests.

Step S203: Cluster accounts corresponding to daily business requests according to multi-dimensional features to obtain multiple clustered accounts. A clustered account is a set of multiple accounts with the same clustering features, where the clustering feature is multi-dimensional. subset of features.

Step S204: Determine the target cluster account according to the number of accounts in each cluster account, and the account in the target cluster account is the target account.

For example, multi-dimensional features are equivalent to the description information of daily business requests. The greater the number of dimensions, the more accurate the description information. Specifically, for daily business requests sent by normal accounts, due to differences in the ways and purposes of different users using the Internet platform, the characteristics of the daily business requests sent by them in multiple dimensions are random. Therefore, daily business requests issued by normal accounts are usually not concentrated under the same multi-dimensional characteristics. For illegal accounts (target accounts) registered by attackers using script programs, the illegal requests issued are driven by program scripts. Therefore, they will form a high degree of aggregation under the multi-dimensional characteristics of certain dimensions, such as , log in at the same time (device characteristics), have common friends (account characteristics), have the same business node trigger sequence (behavior characteristics), and have the same message content (content characteristics). Therefore, based on the multi-dimensional characteristics corresponding to daily business requests, the accounts corresponding to daily business requests with the same multi-dimensional characteristics are clustered to obtain clustered accounts. Afterwards, the number of clustered accounts is evaluated. When the number of clustered accounts is greater than the preset value, it is determined that the account in the clustered account is abnormal and there is a risk of initiating illegal requests, that is, the target account.

In this embodiment, by detecting daily business requests, the daily business requests are comprehensively judged from multiple dimensions, and based on the aggregation of multi-dimensional features of daily business requests, illegal requests generated by script programs and those generated by ordinary accounts are accurately distinguished. Send the correct business request to achieve precise positioning of the target account. This method avoids the problem of being unable to accurately locate the target account due to the attacker changing the request parameters in the existing solution of judging the target account based on expert experience, and improves the detection accuracy of illegal accounts.

Step S205: Determine the corresponding key business node according to the target account. The key business node is the business node with the best interception effect when intercepting illegal requests initiated by the target account.

Step S206: Obtain appeal data, which is appeal information against access interception sent by the target account.

Step S207: Update the target account and/or interception policy according to the complaint data, and return to step S201, where the interception policy is a policy for access interception of service requests sent by the target account.

For example, after determining the key business nodes, access to the target account is intercepted based on the key business nodes to protect the system ecology. But at the same time, there may still be some mistakenly intercepted requests, resulting in normal users' business requests being intercepted and the business nodes unable to be triggered normally. Later, some users will initiate appeal requests for the mistaken interception. At the same time, the attacker will also use script programs to send false appeal requests to the server based on the target account. Complaint data is a collection of complaint information submitted to the Internet platform for the target account. After obtaining the complaint data, the server analyzes the complaint data and can determine the real complaint information sent by the user that reflects the mistaken interception. It can also determine False complaint information sent by a script program. After that, through the real complaint information and false complaint information, the processing model that provides the interception strategy is further trained to update the target account that was previously determined to be an illegal account, and/or update the interception strategy for the target account, where, about For the specific implementation of the interception strategy, please refer to the relevant introduction in the embodiment shown in Figure 6, and will not be described again here.

For example, as shown in Figure 9, the specific implementation steps of step S207 include:

Step S2071: Cluster according to the content of the complaint data to obtain the first complaint sample and the second complaint sample. The first complaint sample is the complaint information sent by the normal account, and the second complaint sample is the risk of initiating illegal requests to the target business. account.

Step S2072: Update the target account and/or interception policy based on the first complaint sample and/or the second complaint sample.

For example, after obtaining the complaint data, based on the content of each complaint information in the complaint data, for example, if the complaint information includes a content item of "Complaint Reason Description", perform text clustering on the "Complaint Reason Description" to exclude outliers. And automatically mark non-outlier points as valid appeal information, that is, the first appeal sample, and other outlier points are marked as the second appeal sample. After that, the account corresponding to the first complaint sample is marked as a white sample, and the processing model that provides the interception strategy is trained based on the white sample to complete the automatic optimization and iteration of the interception strategy and improve the accuracy and rationality of the interception strategy.

In this embodiment, the implementation of step S205 is the same as the implementation of step S102 in the embodiment shown in FIG. 2 of the present disclosure, and will not be described again one by one.

Corresponding to the service request processing method in the above embodiment, FIG. 10 is a structural block diagram of a service request processing device provided by an embodiment of the present disclosure. For convenience of explanation, only parts related to the embodiments of the present disclosure are shown. Referring to Figure 10, service request processing device 3 includes:

The acquisition module 31 is used to obtain a target account. The target account is an account with the risk of initiating illegal requests to the target business, and the target business has at least two business nodes;

The determination module 32 is used to determine the corresponding key business node according to the target account. The key business node is the business node with the best interception effect when access interception of illegal requests initiated by the target account;

The interception module 33 is used to access and intercept business requests sent by the target account based on key business nodes.

In one embodiment of the present disclosure, the determination module 32 is specifically configured to: obtain the first service request sent by the target account; determine the interception revenue corresponding to each service node according to the first service request, and the interception revenue representation is based on unit computing resources, The effective interception duration for intercepting the attacker belonging to the target account at the corresponding business node; determine the key business nodes based on the interception revenue.

In one embodiment of the present disclosure, when determining the interception revenue corresponding to each business node according to the first business request, the determination module 32 is specifically used to: based on the preset unit computing resources, target the first business request sent by the target account. , conduct access interception at different business nodes, and record the first moment corresponding to each business node. The first moment is the start time of access interception; detect the second business request for different business nodes sent by the target account, and record the second business The second moment corresponding to the request, where the second service request is a service request that bypasses access interception, and the second moment is the moment when the second service request is received; according to the first moment and the second moment, determine the corresponding service node of each service node. Interception earnings.

In one embodiment of the present disclosure, the interception module 33 is specifically used to: determine an interception strategy based on key business nodes. The interception strategy represents the preset total computing resource allocation in each business node; according to the interception strategy, on the key business nodes The business node and at least one other business node intercept the business request sent by the target account.

In one embodiment of the present disclosure, the acquisition module 31 is specifically configured to identify the target account based on the multi-dimensional characteristics of daily business requests.

In one embodiment of the present disclosure, when the acquisition module 31 identifies the target account according to the multi-dimensional characteristics of the daily business request, it is specifically used to: obtain the multi-dimensional characteristics of the daily business request; according to the multi-dimensional characteristics, correspond to the daily business request. Accounts are clustered to obtain multiple clustered accounts. A clustered account is a set of multiple accounts with the same clustering characteristics, where the clustering characteristics are a subset of multi-dimensional characteristics; according to the accounts in each clustered account number, determine the target cluster account, and the account in the target cluster account is the target account.

In one embodiment of the present disclosure, multi-dimensional features include at least two of the following categories: account features, device features, behavior features, and content features.

In one embodiment of the present disclosure, the acquisition module 31 is also used to: obtain appeal data, which is appeal information for access interception sent by the target account; update the target account and/or interception policy according to the appeal data, wherein, The interception policy is a policy for access interception of business requests sent by the target account.

In one embodiment of the present disclosure, when updating the target account and/or interception strategy according to the complaint data, the acquisition module 31 is specifically used to: perform clustering according to the content of the complaint data, and obtain the first complaint sample and the second complaint sample. , among which, the first complaint sample is the complaint information sent by the normal account, and the second complaint sample is the risk of initiating illegal requests to the target business. Account; update the target account and/or interception policy based on the first complaint sample and/or the second complaint sample.

Among them, the acquisition module 31, the determination module 32, and the interception module 33 are connected in sequence. The service request processing device 3 provided in this embodiment can execute the technical solution of the above method embodiment. Its implementation principles and technical effects are similar, and will not be described again in this embodiment.

Figure 11 is a schematic structural diagram of an electronic device provided by an embodiment of the present disclosure. As shown in Figure 11, the electronic device 3 includes:

Processor 41, and memory 42 communicatively connected to processor 41;

Memory 42 stores computer execution instructions;

The processor 41 executes the computer execution instructions stored in the memory 42 to implement the service request processing method in the embodiment shown in Figures 2 to 9.

Wherein, optionally, the processor 41 and the memory 42 are connected through the bus 43 .

Relevant descriptions can be understood by referring to the relevant descriptions and effects corresponding to the steps in the embodiments corresponding to Figures 2 to 9, and will not be described again here.

Referring to FIG. 12 , a schematic structural diagram of an electronic device 900 suitable for implementing an embodiment of the present disclosure is shown. The electronic device 900 may be a terminal device or a server. Among them, terminal devices may include but are not limited to mobile phones, notebook computers, digital broadcast receivers, personal digital assistants (Personal Digital Assistant, PDA), tablet computers (Portable Android Device, PAD), portable multimedia players (Portable Media Player , PMP), mobile terminals such as vehicle-mounted terminals (such as vehicle-mounted navigation terminals), and fixed terminals such as digital televisions (Television, TV), desktop computers, etc. The electronic device shown in FIG. 12 is only an example and should not impose any limitations on the functions and scope of use of the embodiments of the present disclosure.

As shown in Figure 12, the electronic device 900 may include a processing device (such as a central processing unit, a graphics processor, etc.) 901, which may process data according to a program stored in a read-only memory (Read Only Memory, ROM) 902 or from a storage device 908 The program loaded into the random access memory (Random Access Memory, RAM) 903 performs various appropriate actions and processing. In the RAM 903, various programs and data required for the operation of the electronic device 900 are also stored. The processing device 901, ROM 902 and RAM 903 are connected to each other via a bus 904. An input/output (I/O) interface 905 is also connected to bus 904.

Generally, the following devices can be connected to the I/O interface 905: input devices 906 including, for example, a touch screen, touch pad, keyboard, mouse, camera, microphone, accelerometer, gyroscope, etc.; including, for example, a Liquid Crystal Display (LCD) , an output device 907 such as a speaker, a vibrator, etc.; a storage device 908 including a magnetic tape, a hard disk, etc.; and a communication device 909. The communication device 909 may allow the electronic device 900 to communicate wirelessly or wiredly with other devices to exchange data. Although FIG. 12 illustrates electronic device 900 with various means, it should be understood that implementation or availability of all illustrated means is not required. More or fewer means may alternatively be implemented or provided.

In particular, according to embodiments of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product including a computer program carried on a computer-readable medium, the computer program containing program code for performing the method illustrated in the flowchart. In such embodiments, the computer program may be downloaded and installed from the network via communication device 909, or from storage device 908, or from ROM 902. When the computer program is executed by the processing device 901, the above-mentioned functions defined in the method of the embodiment of the present disclosure are performed.

It should be noted that the computer-readable medium mentioned above in the present disclosure may be a computer-readable signal medium or a computer-readable storage medium, or any combination of the above two. The computer-readable storage medium may be, for example, but is not limited to, an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus or device, or any combination thereof. More specific examples of computer readable storage media may include, but are not limited to: an electrical connection having one or more conductors, a portable computer disk, a hard drive, random access memory (RAM), read only memory (ROM), erasable Programmable Read Only Memory (Erasable Programmable Read Only Memory, EPROM) or flash memory, optical fiber, portable compact disk read only memory (Compact Disc Read Only Memory, CD-ROM), optical storage device, magnetic storage device, or any of the above suitable combination. In this disclosure, a computer-readable storage medium may be any tangible medium that contains or stores a program for use by or in connection with an instruction execution system, apparatus, or device. In the present disclosure, a computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, carrying computer-readable program code therein. Such propagated data signals may take many forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination of the above. A computer-readable signal medium may also be any computer-readable medium other than a computer-readable storage medium that can send, propagate, or transmit a program for use by or in connection with an instruction execution system, apparatus, or device . Program code contained on a computer-readable medium can be transmitted using any appropriate medium, including but not limited to: wires, optical cables, radio frequency (Radio Frequency, RF), etc., or any suitable combination of the above.

The above-mentioned computer-readable medium may be included in the above-mentioned electronic device; it may also exist independently without being assembled into the electronic device.

The computer-readable medium carries one or more programs. When the one or more programs are executed by the electronic device, the electronic device performs the method shown in the above embodiment.

Computer program code for performing the operations of the present disclosure may be written in one or more programming languages, including object-oriented programming languages such as Java, Smalltalk, C++, and conventional Procedural programming language—such as "C" or a similar programming language. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In situations involving remote computers, the remote computer can be connected to the user's computer through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or it can be connected to an external computer ( For example, using an Internet service provider to connect via the Internet).

The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operations of possible implementations of systems, methods, and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagram may represent a module, segment, or portion of code that contains one or more logic functions that implement the specified executable instructions. It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown one after another may actually execute substantially in parallel, or they may sometimes execute in the reverse order, depending on the functionality involved. It will also be noted that each block of the block diagram and/or flowchart illustration, and combinations of blocks in the block diagram and/or flowchart illustration, can be implemented by special purpose hardware-based systems that perform the specified functions or operations. , or can be implemented using a combination of specialized hardware and computer instructions.

The units involved in the embodiments of the present disclosure can be implemented in software or hardware. Among them, the name of the unit does not constitute a limitation on the unit itself under certain circumstances. For example, the first acquisition A unit may also be described as "a unit that obtains at least two Internet Protocol addresses."

The functions described above herein may be performed, at least in part, by one or more hardware logic components. For example, without limitation, exemplary types of hardware logic components that can be used include: Field-Programmable Gate Array (FPGA), Application Specific Integrated Circuit (Application Specific Integrated Circuit, ASIC), Application Specification Standard Product (Application Specification) Specific Standard Parts (ASSP), System On Chip (SOC), Complex Programmable Logic Device (CPLD), etc.

In the context of this disclosure, a machine-readable medium may be a tangible medium that may contain or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. Machine-readable media may include, but are not limited to, electronic, magnetic, optical, electromagnetic, infrared, or semiconductor systems, devices or devices, or any suitable combination of the foregoing. More specific examples of machine-readable storage media may include an electrical connection based on one or more wires, a portable computer disk, a hard disk, random access memory (RAM), read only memory (ROM), erasable programmable read only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), optical storage device, magnetic storage device, or any suitable combination of the above.

In a first aspect, according to one or more embodiments of the present disclosure, a service request processing method is provided, including:

According to one or more embodiments of the present disclosure, determining the corresponding key business node according to the target account includes: obtaining the first business request sent by the target account; determining each of the key business nodes according to the first business request. The interception revenue corresponding to the business node, the interception revenue represents the effective interception time for intercepting the attacker belonging to the target account at the corresponding business node based on the unit computing resources; according to the interception revenue, the key business node is determined .

According to one or more embodiments of the present disclosure, determining the interception revenue corresponding to each of the service nodes according to the first service request includes: based on preset unit computing resources, for the first service sent by the target account Request, conduct access interception at different business nodes, and record the first moment corresponding to each business node, the first moment being the start time of the access interception; detect the message sent by the target account for the different services The node makes a second service request, and records the second moment corresponding to the second service request, where the second service request is a service request that bypasses the access interception, and the second moment is when the first service request is received. 2. The time of the service request; based on the first time and the second time, determine the interception revenue corresponding to each of the service nodes.

According to one or more embodiments of the present disclosure, performing access interception on the service request sent by the target account based on the key business node includes: determining an interception strategy based on the key business node, and the interception strategy represents a preset The total computing resources are allocated to each of the business nodes; according to the interception policy, the business request sent by the target account is intercepted at the key business node and at least one other business node.

According to one or more embodiments of the present disclosure, obtaining the target account includes: identifying the target account based on multi-dimensional characteristics of daily business requests.

According to one or more embodiments of the present disclosure, identifying the target account according to the multi-dimensional characteristics of the daily business request includes: obtaining the multi-dimensional characteristics of the daily business request; and applying the multi-dimensional characteristics to the daily business request according to the multi-dimensional characteristics. business request pair According to The number of accounts in each clustered account determines the target clustered account, and the account in the target clustered account is the target account.

According to one or more embodiments of the present disclosure, the multi-dimensional features include at least two of the following categories: account features, device features, behavior features, and content features.

According to one or more embodiments of the present disclosure, the method further includes: obtaining appeal data, which is appeal information sent by the target account against the access interception; and updating the appeal data according to the appeal data. Target account and/or interception policy, wherein the interception policy is a policy for access interception of service requests sent by the target account.

According to one or more embodiments of the present disclosure, updating the target account and/or interception strategy according to the complaint data includes: clustering according to the content of the complaint data, and obtaining a first complaint sample and a second complaint Samples, wherein the first appeal sample is appeal information sent by a normal account, and the second appeal sample is an account with the risk of initiating illegal requests to the target business; according to the first appeal sample and/or the second appeal sample Appeal sample, update the targeted account and/or blocking policy.

In a second aspect, according to one or more embodiments of the present disclosure, a service request processing device is provided, including:

According to one or more embodiments of the present disclosure, the determination module is specifically configured to: obtain the first service request sent by the target account; and determine the interception revenue corresponding to each of the service nodes according to the first service request. , the interception revenue represents the effective interception time of intercepting the attacker belonging to the target account at the corresponding business node based on the unit computing resources; the key business node is determined based on the interception revenue.

According to one or more embodiments of the present disclosure, when determining the interception revenue corresponding to each of the service nodes according to the first service request, the determination module is specifically configured to: based on the preset unit computing resources, for all The first business request sent by the target account is accessed and intercepted at different business nodes, and the first time corresponding to each of the business nodes is recorded, and the first time is the start time of the access interception; detecting the target The account sends a second service request for the different service nodes, and records the second time corresponding to the second service request, where the second service request is a service request that bypasses the access interception, and the third The second time is the time when the second service request is received; based on the first time and the second time, the interception revenue corresponding to each of the service nodes is determined.

According to one or more embodiments of the present disclosure, the interception module is specifically configured to: determine an interception strategy based on the key business nodes, and the interception strategy represents the calculation of the preset total computing resources in each of the business nodes. Resource allocation: According to the interception policy, the business request sent by the target account is intercepted at the key business node and at least one other business node.

According to one or more embodiments of the present disclosure, the acquisition module is specifically configured to: detect daily business requests; and identify the target account according to the multi-dimensional characteristics of the daily business requests.

According to one or more embodiments of the present disclosure, the acquisition module is based on the multi-dimensional characteristics of the daily business request, When identifying the target account, it is specifically used to: obtain the multi-dimensional characteristics of the daily business request; cluster the accounts corresponding to the daily business request according to the multi-dimensional characteristics to obtain multiple clustered accounts. A class account is a set of multiple accounts with the same clustering characteristics, where the clustering characteristics are a subset of the multi-dimensional characteristics; the target clustered account is determined according to the number of accounts in each clustered account. , the account in the target clustered account is the target account.

According to one or more embodiments of the present disclosure, the acquisition module is further configured to: obtain appeal data, which is appeal information sent by the target account against the access interception; according to the appeal data, Update the target account and/or interception policy, where the interception policy is a policy for access interception of service requests sent by the target account.

According to one or more embodiments of the present disclosure, when updating the target account and/or interception policy according to the complaint data, the acquisition module is specifically configured to: perform clustering according to the content of the complaint data, and obtain A first appeal sample and a second appeal sample, wherein the first appeal sample is appeal information sent by a normal account, and the second appeal sample is an account with the risk of initiating illegal requests to the target business; according to the first appeal sample and/or the second appeal sample, and update the target account and/or blocking policy.

In a third aspect, according to one or more embodiments of the present disclosure, an electronic device is provided, including: a processor, and a memory communicatively connected to the processor;

The memory stores computer execution instructions;

In a fourth aspect, according to one or more embodiments of the present disclosure, a computer-readable storage medium is provided. Computer-executable instructions are stored in the computer-readable storage medium. When a processor executes the computer-executed instructions, Implement the service request processing method described in the first aspect and various possible designs of the first aspect.

The above description is only a description of the preferred embodiments of the present disclosure and the technical principles applied. Those skilled in the art should understand that the disclosure scope involved in the present disclosure is not limited to technical solutions composed of specific combinations of the above technical features, but should also cover solutions composed of the above technical features or without departing from the above disclosed concept. Other technical solutions formed by any combination of equivalent features. For example, a technical solution is formed by replacing the above features with technical features with similar functions disclosed in this disclosure (but not limited to).

Furthermore, although operations are depicted in a specific order, this should not be understood as requiring that the operations be performed in the specific order shown, or in sequential order. Under certain circumstances, multitasking and parallel processing may be advantageous. Likewise, although several specific implementation details are included in the above discussion, these should not be construed as limiting the scope of the present disclosure. Certain features that are described in the context of separate embodiments can also be implemented in combination in a single embodiment. Conversely, various features that are described in the context of a single embodiment can also be implemented in multiple embodiments separately or in any suitable subcombination.

Although the subject matter has been described in language specific to structural features and/or logical acts of methods, it should be understood that all The subject matter defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features and acts described above are merely example forms of implementing the claims.

Claims

A business request processing method, including:

Obtain a target account, which is an account with the risk of initiating illegal requests to the target business, and the target business has at least two business nodes;

Determine the corresponding key business node according to the target account, and the key business node is the business node with the best interception effect among the at least two business nodes when access interception is performed for illegal requests initiated by the target account;

Based on the key business node, access interception is performed on the business request sent by the target account.
The method according to claim 1, wherein determining the corresponding key business node according to the target account includes:

Obtain the first service request sent by the target account;

According to the first business request, determine the interception revenue corresponding to each of the business nodes. The interception revenue represents the effective interception time for intercepting the attacker belonging to the target account at the corresponding business node based on the unit's computing resources;

The key business node is determined based on the interception revenue.
The method according to claim 2, wherein determining the interception revenue corresponding to each of the service nodes according to the first service request includes:

Based on the preset unit computing resources, for the first business request sent by the target account, access interception is performed at different business nodes, and the first time corresponding to each business node is recorded, and the first time is the The start time of access interception;

Detect the second service request sent by the target account for the different service node, and record the second time corresponding to the second service request, wherein the second service request is a service request that bypasses the access interception , the second time is the time when the second service request is received;

According to the first time and the second time, the interception revenue corresponding to each of the service nodes is determined.
The method according to any one of claims 1 to 3, wherein based on the key business node, access interception of business requests sent by the target account includes:

Based on the key business nodes, determine an interception strategy, where the interception strategy represents the allocation of computing resources of the preset total computing resources in each of the business nodes;

According to the interception policy, the service request sent by the target account is intercepted at the key service node and at least one other service node.
The method according to any one of claims 1 to 4, wherein said obtaining the target account includes:

The target account is identified based on the multi-dimensional characteristics of daily business requests.
The method according to claim 5, wherein identifying the target account according to the multi-dimensional characteristics of the daily business request includes:

Obtain the multi-dimensional characteristics of the daily business requests;

According to the multi-dimensional characteristics, the accounts corresponding to the daily business requests are clustered to obtain multiple clustered accounts. The clustered accounts are a set of multiple accounts with the same clustering characteristics, wherein the clustered accounts Class features are a subset of the multi-dimensional features;

According to the number of accounts in each clustered account, a target clustered account is determined, and the account in the target clustered account is the target account.
The method according to claim 5 or 6, wherein the multi-dimensional features include at least two of the following categories:

Account characteristics, device characteristics, behavioral characteristics, and content characteristics.
The method according to any one of claims 1 to 7, wherein the method further comprises:

Obtain appeal data, which is appeal information sent by the target account against the access interception;

According to the appeal data, the target account and/or the interception policy are updated, wherein the interception policy is a policy for access interception of service requests sent by the target account.
The method of claim 8, wherein updating the target account and/or blocking policy based on the appeal data includes:

Clustering is performed based on the content of the appeal data to obtain a first appeal sample and a second appeal sample. The first appeal sample is appeal information sent by a normal account, and the second appeal sample is an appeal information sent to the target business. Accounts with illegal request risks;

Update the target account and/or interception policy according to the first complaint sample and/or the second complaint sample.
A service request processing device, including:

An acquisition module, configured to acquire a target account, which is an account with the risk of initiating illegal requests to the target business, and the target business has at least two business nodes;

Determination module, configured to determine the corresponding key business node according to the target account. When the key business node performs access interception for illegal requests initiated by the target account, the interception effect is the best among the at least two business nodes. business nodes;

The interception module is used to access and intercept business requests sent by the target account based on the key business nodes.
An electronic device includes: a processor, and a memory communicatively connected to the processor;

The memory stores computer execution instructions;

The processor executes the computer execution instructions stored in the memory to implement the service request processing method according to any one of claims 1 to 9.
A computer-readable storage medium in which computer-executable instructions are stored. When a processor executes the computer-executable instructions, the service request processing as described in any one of claims 1 to 9 is implemented. method.
A computer program product includes a computer program that implements the service request processing method described in any one of claims 1 to 9 when executed by a processor.
A computer program used to implement the service request processing method according to any one of claims 1 to 9.